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FISMA 1.0 

On December 17, 2002, the President signed into 
law the Electronic Government Act. Title II I of 

that Act is FISMA, which lays OUt the 

framework for annual IT security 
reviews, reporting, and remediation 
planning at federal agencies, it 

requires that agency heads and IGs evaluate their 
agencies' computer security programs and report 
the results of those evaluations to OMB, 
Congress, and the GAO. 1 



House Oversight and Government Reform website 
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OMB directs "snapshots" 
of process and compliance 

1. "Annual" systems inventory 

2. "Annual" testing 

3. C&A every "three" years 

4. Weaknesses "Quarterly 11 

5. Train "once a year" 

(awareness) 

Certification and Accreditation studies 



Continuous: 

7. Incident Reporting 
6. Configuration Management 
5. "Daily" weakness updates 
4. C&A technical controls x 72 
3. Daily not "Annual" testing 
2. Inventory improvements 
1. "Daily" awareness training 



Certification and Accreditation study of technical controls 



RISK 





( 1 

Threat 

L. J 











Vulnerabilities 

V > 





Impact 






1 





Threats Increase 



2% 5% 



Tickets 



Years 


Tickets 


2008 


2104 


2009 


3085 


2010 


+6000 * 
projected 



Type 



*3000 by June 2010 




■ Malicious Code 

■ Unauthorized Access 

■ Denial of Ser vice 

■ Improper Use 

■ Scans/Probes/ 

Attempted Access 
□ Investigation 



Nature of Attacks 



80% of attacks leverage 

known vulnerabilities and 
configuration management 
setting weaknesses 



"Attack Readiness" 

• What time is spent on 

• Faster action = 

lower potential risk 



Risk 
Valuation 



Bad Things By The Numbers 

Littering chemical Dumping 

- LA. Hotel Fined — 

Hotel pays a 

$200,000 fine 

because an employee dumps 
pool chemicals into a drain 
fumes fill a subway station 
--several people become ill 

March 23, 2010 




Case Study: 

(1) Scan every 2-15 days 

(2) Find & Fix Top Issues Daily 

(3) Personal results graded 

(4) Hold managers responsible 





Results First 12 Months 



Personal Computers and Servers 



Domestic Sites 



— Foreign Sites 




90% 
Reduction 



I 3 



*flf2WM 7/2J/2HI 1 5/17/2H4 7/E/2H9 Mf2Sf2M9 
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Call a Problem 40x Worse 



Q 
Cl 

c 



o 

Q- 

<V 



O 



40% 



u 



Q- 
Q. 

< 



10% 



0% 



Operation A urora A ttack 



10-018 
Patch 
overage 



. — ,- .1 





Risk scoring moves State Dept 




from 20 - 85% patched 




in six (6) days: April 3 -9,2010 







2-Apr 4-Apr 



6-Apr 8-Apr 10-Apr 12-Apr 14-Apr 16-Apr 
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Efficiency is Repeatable & Sustained 



ioo°o 



>?>.<** 



4u°o 



10°o 




•Expected Veil ue (Based on all reporting 
n:-Khine;:' 

•Lower Bound (Assumes all non-reporting 
m ac h in e s are non-cornpli ant) 



MS10-042- August 2010 
Percent of applicable devices patched 



when charging 40 points 
0 - 84% in seven (7) days 
0-93% in 30 days 



tN r-i a r-i tN r-i cn c-j cn c-j (n cn a r-i a (n a r-i r-i cn cn cn cn cn cn cn cn cn (N (N (N 

--^ --^ -v. -v, -v. -v. --^ -v. ^ ^ ^ ^ ^ ^ ^ -v. -v. 

t-\ r-i cn cn cn cn cn cn cn cn m n ^ ^ ^ --^ ^ _| _| _| 

^ ^ ^ ^ ^ ^ ^ ^ Q-i rr-i Q-i Q-i cr, Q-i rr-i a-, 



14 



Why 

and 
How? 



CXOs are accountable for IT 

security 

BUT 

directly supervise only 

a small part of the 
systems actually in use. 



Tactical Problem 

• In combat whoever 

"Observes - Orients - Decides 

i 

- Acts" fastest wins. 

* Cyber attacks are evolving 
faster than they can be 
counteracted outside DoD 



Structuring 
for Success 



#1: Narrow Aim 



CAG 
ID 


Consensus Audit Guideline 


NIST-800-53 


US CERT Report 










Inventory of authorized and 
u nauthori7pd hard wptp 


CM-l, CM-2, CM-3, 
CM-4,CM-5, 
CM -8 j CM-9 


[ll months before Feb 09] 


1 


+ 6% 


2 


Inventory of authorized 
and unauthorized software 


CM-l, CM-2, CM-3, CM-5, CM-7, 
CM-8,CM-9,SA-7 


+ 22% 


5 


Boundary Defense 


AC-17, RA-5, SC-7, SI-4 


+ 7% 


q 


Controlled access based on 
need to know 


Af -1 AC -J AC-1. AC-& A f-1 ^ 


1 % 

J. so 


12 


Anti-malware 
defenses 


AC-3, AC-4, AC-6, AC-17, AC-19, 
AC -20. AT-2. AT-3, MA-3, 
|,| A-4. MA-5, MP-2, MP-4, PE-3, 

PE-4, PL-4, PS-6, RA-5, SA-7, 
SA-12, SA-13, SC-3, SC-7, SC-11, 
SC-20, SC-21, SC-22, SC 23, 
SC 25, SC-26, SC-27, SC 29, 
SC-30, SC-31,SI-3, SI-8 


+ 60% 
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#2: Set Metrics 

Quantify risk for action: 

a. Name common standards 

20 



Component 


Risk 
Score 


Aug/ 
Host 


%of 

Score How Component is Calculated 


VUL - Vulnerably | — \ 


Qd7n 




3,0 


10.9 % From .1 for the lowest risk vulnerability to 10 for the highest risk vulnerability 


PAT -Patch 


fin?n 
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6.9 % from 3 for each missing "Low" patch to 10 for each missing "Critical" patch 


SCM- Security Compliance 

— ^ — ■— / 


Q t 1 0 1 




19.5 


71.2% 


From .9 for each faied Application Log check to .43 for each fated Group 


AVR - Anti-Virus 


nn 




0.0 


0.0% 


6 per day for each signature file ofder than 5 days 


SOE-SOE Compliance 


1 1 3,U 




0.4 


1.3% 


5 for each missing or incorrect version of an SOE component 


ADC -AD Computers 


26,0 




0.1 


0.3% 


1 per day for each day the AD computer password age exceeds 35 days 


ADU- AD Users 


222.0 




0.7 


2.6% 


1 per day for each account that does not require a smart-card and whose 
password age > 60, plus 5 additional if the password never expires 


SMS -SMS Reporting 


230.0 




0.7 


2.6% 


100 + 1 0 per day for each host not reporting completely to SMS 


VUR- Vulnerability 
Reporting 


84.0 




0.3 


1.0% 


After a host has no scans for 1 5 consecutive days, 5 + 1 per 7 additional days 


SCR - Security CompEiartce 
Reporting 


279.0 


\ 


0.9 


3.2% 


After a host has no scans for 30 consecutive days, 5 + 1 per 1 5 adcfrtional days 


Total Risk Score 


8,687.1 


27.4 


10S.0 % 


For additional infor 
suspected false pot 


matbn 
titives, 


on Risk Scoring, assistance with remediation or to report 
contact the ff Service Center to open a "Risk Score" ticket. 



b. Quantify Unique Threats 



I Googh 



e-A urora A ttack 




MS10-018 Patch Coverage 

I T " A 



40 points: April 3-9, 2010 



MS10-012 Patch Feb- March 2010 



Riskscoring escalation 
from 40, 80, 120, 160 
and then 280 points 



2-Apr 



4-Apr 



6-Apr 



8-Apr 



10-Apr 



12-Apr 



14-Apr 



16-Apr 



Technical control data efficiency: 

> Every 2-15 days not 3 years 

Create tiger teams for operations: 

> inventory and to reduce site risks 

C&A*cost down 56% then 62% 

> Invest in tool kits for everything 

Support just in time for Certification & Accreditation** 



q Integrate 
q Information & Tools 

2 

Timely - Targeted - Prioritized 

"Metrics with 
the Most Meaning" 

The One to One Fieldbook: The Complete Toolkit for Implementing a 1 to 1 
Marketing Program by Don Peppers, Martha Rogers, and Bob Dorf 
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#5 Embed Time & 
Results Checks 

into 

Daily Operations 



Enterprise Network Management 

I jPost IW0PS/ENM 



Display Time As? | Local 
CurrentTmes Nov II 200? 10:5! 





Regional View Dashboard Risk Scores Performance Security Configuration Reports DoS Resource 



v Logoff 




'0 All Risk Scoring Exceptions 
Enterprise Level 
Enterprise arid local risk scoring 
exceptions, 

Q Vulnerability Management 
Enterprise Level 

Active scoring exceptions for 
vulnerabilities 



$ Risk Score Rank 
Site Level 

Displays site risk score ranks in the 
enterprise 



Risk Scoring Reports 



Enterprise Risk Score Monitor 
Enterprise Level 

Risk scores, grades, and rankings for 
each primary site in the Enterprise 



tf Reg.jnal >.:^: Score r jmtor' 
Regional Level 

Risk scores, grades, and rankings for 
each site 

% Risk Scoring Exceptions 
Site Level 

Risk scoring exceptions applicable to 
the selected site 



0J 



0 Site Collection Risk Score Monitor 



Enterprise Level 

Risk scores, grades, and rankings for 
each site in a named site collection 

i. 



Risk Score Adviser 
SiteLeve^^^ 

Analysis assistance to facilitate 
improvement of risk score 



Risk Score Advisor 



Site Risk Score 


8,687.1 


Hosfs 


317 


Average Risk Score 


27.4 


Risk Level Grade 


A+ 


Rank in Enterprise 


163 of 438 


Rank in Region 


16 of 48 



The following grading scale is provided by Information 
Assurance and may be revised periodically. 

Average Risk Score 



At Leas* Lees Tdan Grade 



0.0 


40.0 


A+ 


40.0 


75JD 


A 


75 JD 


110J0 


B 


110 0 


130.0 


c 


180.0 


230,0 


D 


230.0 


400.0 


F 


400.0 




F- 



Risk Score Profile 




3.0 1.9 



0.0 0.4 0.1 0.7 0-7 0 .3 

VUL "SCM AVR SOE ADC ADU SMS WR~ 



0.9 



SCR 



Component 


Risk 
Score 


Aug/ 
Host 


%of 

Score How Component is Calculated Cube and Divide by 100 

' 31 


VUL-Vutnera«y 


9470 




3,0 


10.9 % From .1 for the lowest risk vulnerability to 10 for the highest risk vulnerability N/ 


PAT -Patch 


6030 
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6.9 % From 3 for each missing "Low" patch to 1 0 for each missing "Critical" patch 


3CM- Security Compliance 


ft 181 ? 




19.5 


71.2% 


From .9 for each failed Application Log check to .43 for each failed Group 

IVJC 1 1 IWCJ if JI f J Kr\ fcCtrft 


AVR - Anti-Virus 


00 




0.0 


0.0% 


6 per day for each signature file older than 6 days 


SOE-SOE Compliance 


1150 




0,4 


1.3% 


5 for each missing or incorrect version of an SOE component 


ADC -AD Computers 


26.0 




0.1 


0.3% 


1 per day for each day the AD computer password age exceeds 35 days 


ADU- AD Users 


222.0 




0,7 


2.6% 


1 per day for each account that does not require a smart-card and whose 
password age > 60, plus 5 additional if the password never expires 


SMS -SMS Reporting 


230.0 




0.7 


2.6% 


100 + 10 per day for each host not reporting completely to SMS 


VUR- Vulnerability 
Reporting 


84.0 




0.3 


1.0% 


After a host has no scans for 1 5 consecutive days, 5 + 1 per 7 additional days 


SCR - Security Compliance 
Reporting 


279.0 
<^ 


I 


0,9 


3.2% 


After a host has no scans for 30 consecutive days, 5 + 1 per 1 5 additional days 


Total Risk Score 8,687.1 


27.4 


100.0% 


For additional infor 
suspected false pot 


nation 
titives, 


on Risk Scoring, assistance with remediatiom, or to report 
contact the fT Service Center to open a "Risk Score" ticket 




Risk Score History 




2009 May 01 2009 Jun01 2009 Jul 01 2009 Aug 01 2009 Sep 01 2009 Oct 01 2009 Nov 01 2009 



Enterprise Network Management 

I iPost 1W0PS/ENH 



Dispfay Time As; | Local 
Current Time: Nov 11 2005 10:5! 





Regional View Dashboard Risk Scores Performance Security Configuration Reports DoS Resource 



7 Logoff 





Risk Scoring Reports 




0; 



All Risk Scoring Exceptions 
Enterprise Level 
Enterprise and local risk scoring 
exceptions, 

a 

w Vulnerability Management 
Enterprise Level 

Active scoring exceptions for 
vulnerabilities 

% Risk Score Rank 
Site Level 

Displays site risk score ranks in the 
enterprise 



C B Enterprise Risk Score H onjto^ 
Enterprise Level 

Risk scores, grades, and rankings for 
each primary site in the Enterprise 



L Q Site Collection Risk Score Monitor 
Enterprise Level 

Risk scores^ grades, and rankings for 
each site in a named site collection 



f Regional Risk Score Monitor 
Regional Level 

Risk scores, grades, and rankings for 
each site 

% Risk Scoring Exceptions 
Site Level 

Risk scoring exceptions applicable to 
the selected site 



Risk Score Advisor 
Site Level 

Analysis assistance to facilitate 
improvement of risk score 




Server Performance 



Network Latency 
Network Traffic 
Network Usage 
Performance Alerts 

Compliance Scans 
Vulnerability Scans 
Active Directory 
Patch Management 



#6 Assure Ongoing 
Accountability and 
Continuous 
Improvement 



Benefit of Continuous Attention 











• Steady or Decreases 
O Increases 

• Projected 

— Poly. (Projected) 












If corrective 
action stopped 
how quickly 
would risk 
accumulate? 






* £^ 




<<*^^^^:^-«*<^ — 





5/17/2009 7/6/2009 8/25/2009 10/14/2009 12/9/2009 1/22/2010 3/13/2010 5/2/2010 6/21/2010 8/10/2010 

Axis Title 

32 



Risk Score Monitor 
Enterprise 



Total Hosts 32,366 51,157 

Average Risk Score per Host 101.7 33.2 




1/3 of Remaining Risk Removed 



200 



±-30 



± 



140 



120 



100 



3ii 



40 



20 



[Year 2] j 




4 

f — "Myv — 








-AW 










^—Domestic 
^—Foreign 









# # <P ^ ^ ^ CC? ^ ^ <^ 

Jr Jr jf J? J? <f <f a<* ^ <f 

<\v <>\ v «r 0^ a v ^ a \ N # ^ <f «r a\ v 
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#7 Design to Test 



Should we position our best 
solutions before or after accidents? 




Cofferdam unit departing Wild West in Port Fourchon on the Chouest 
280 workship named Joe Griffin 05 May 2010 -- Photo from BP.com 
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Continuous C&A Process will provide more effective 
real-time security - not just a snapshot in time 



Continuous C&A Process 

■■' 

fimtaiin fiMiiritv Plan 




Details empower 
technical managers 

FOR TARGETED, DAILY 
ATTENTION TO REMEDIATION 

Summaries 
empower executives 

TO OVERSEE CORRECTION OF 
MOST SERIOUS PROBLEMS 



Lessons Learned 

• When continuous monitoring augments 
snapshots required by FISMA: 

— Mobilizing to lower risk is feasible & fast (11 mo) 

— Changes in 24 time zones with no direct contact 

— Cost: 15 FTE above technical management base 

• This approach leverages the wider workforce 

• Security culture gains are grounded in 
fairness, commitment and personal 
accountability for improvement 



Conclusions 



• Scalable to large complex public and private 
sector organizations 

• Higher ROI for continuous monitoring of 
technical controls as a substitute for paper 
reports 

• Summarized risk estimates could be fed to 
enterprise level reporting 
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Background 



Steps at the State Department 

Continuous Certification & Accreditation 1 
Pilot and contracts Summer 2010 

1 st Year: State Measures 89% risk reduction — July 09 

Enterprise pilot test on servers/PC's begins — July 08 

C&A Cost reduced 56%, then to 62% with Toolkits - 2007 

f Coalition for grading better cyber risk - Sta te 2006 \ 

cots Vulnerability & Config Mang Scanner — State 2005 

Grades A-F Use Risk Points + Letters to Execs - US AID 2004 \ 
increase Scanning to Every 3 Days — USAID late FY 2003 
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Architecture 




Integration (& Impact) 



Answer: Adjust pr iorities for hardening in response to actual/possible thr eats 

> Federal Level 




Training 



Tips of the Day Application 



Security Tip of the Day 



help/comment 




is your classified media "secured?" 



Removable hard drives containing classified 
information must be locked in an approved 
safe after you finish using them! 



Classified media aren't "secured" until they are 
locked in an approved safe. 



Iff leave my computer for any reason, I must secure all removable media that contain CLASSIFIED 

information. 




view my results 



4G 



PQCs 

For further information the following POCs 



Points of Contact 



John Stre Life rt 
Chief information Security Officer 




Dspa.'t.'Tw.nt of Stat-?, )RW)r, 
ArJIingta/i, VA 22209 
Tel |7QGj SI 2- 2555 




